Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM Guest Portal High Availability Question

Jump to Best Answer
  • 1.  CPPM Guest Portal High Availability Question

    Posted Jan 06, 2021 01:08 AM
    Hello

    I have Aruba Central managing my IAP deployment, and one of the SSID's is for a guest portal on CPPM (Clear Pass Policy Manager 6.9).

    I have two CPPM servers. Each server has a Management Port and Data Port configured with an IP address - but CPPM 01 and CPPM02 are in different data centres and hence, not on the same VLANs (i.e. there are 4 IP subnets involved here).

    I think this is a problem because I cannot see how the guest portal will survive when I disable CPPM01 for a failover test to CPPM02. The WLAN has both CPPM servers configured, and I know failover works well for 802.1X SSIDs - but how can it work with Portals, because there is only one Captive Portal Profile per WLAN ?? - and in my case the FQDN (e.g. guest.mycompany.com) is hard coded to CPPM01 because that is what the DNS is configured as (only has 1 DNS A Record). Thus, if I failed CPPM01, then the MAB will reach CPPM02, but no captive portal will be possible.

    Does that mean that I need to 
    • Put both CPPM Data Ports on the same VLAN, and create a VIP?
    • Create a DNS entry for that VIP and make it guest.mycompany.com ?
    regards

    PS: I can't seem to embed images on this fancy new interface ... I took some screenshots of Aruba Central config for clarity and attached them instead

    ------------------------------
    Arne Bier
    ------------------------------


  • 2.  RE: CPPM Guest Portal High Availability Question
    Best Answer

    Posted Jan 06, 2021 01:40 AM
    Typically for your deployment I'd suggest one of two options;

    1. create L2 extension for a single vlan where the CPPM data-ports lives thus you can 'host' the VIP for the captive-portal.
    2. You'll need to front-end your infrastructure with a ADC/SLB VIP that is your captive portal IP in the IAP's and this 'hids' the back-end infrastructure and the ADC deals with the failover via simple HC's.

    HTH

    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------



  • 3.  RE: CPPM Guest Portal High Availability Question

    Posted Jan 06, 2021 03:52 AM
    thanks for confirming!  I'll go with option 1.

    I don't have a load balancer - and Option 2 seems fraught with complications because I don't know how one would co-ordinate the RADIUS traffic to always go to the appropriate CPPM server (load balancer persistence logic for MAB auth, RADIUS accounting and portal), unless the IAP/NAS uses the same VIP for its RADIUS traffic, AND the captive portal IP/FQDN is the VIP.


    ------------------------------
    Arne Bier
    ------------------------------



  • 4.  RE: CPPM Guest Portal High Availability Question

    Posted Jan 06, 2021 08:46 AM

    I've done another method previously where neither of the following options above were applicable and with the CPPM's being L3 separated so a VIP could not be used. I created 2x Captive Portal Profiles on the IAP which resolved to the URL of each Captive Portal Page on either CPPM-A or CPPM-B. In my case, we used a DNS record to form the URLs for each Captive Portal.

    I then proceeded to create 2x Pre Auth User Roles on the IAP which referenced either CPPM-A or CPPM-B and returned the respective Captive Portal URL for either CPPM-A or CPPM-B depending on which CPPM was hit first. 

    Within my CPPM policy, I configured the 2x services to return either Pre Auth User Role 'A' (which contain the Captive Portal of CPPM-A) or Pre Auth User Role 'B' (which contain the Captive Portal of CPPM-B) depending on the destination IP address of the RADIUS Packet. 

    This would mean that in my AAA Server configuration, if CPPM-A was online it would respond and return the Aruba User Role 'A' which contained the Captive Portal of CPPM-A as it had matched the destination IP of CPPM-A.

    If CPPM-A was offline, the IAP would then fall through to try CPPM-B. This would match the Service for CPPM-B (as the service looks for destination IP of CPPM-B) and return the Aruba User Role 'B which contained the Captive Portal of CPPM-B as it had matched the destination IP of CPPM-B.

    For example:

    CPPM-A = 192.168.1.1
    CPPM-B = 192.168.2.1

    user-role 'pre-auth-cppm-a'
    -> captive portal 'https://guest-a.acme.com/guest/register.php? (URL resolves to cppm-a for example 192.168.1.1)

    user-role 'pre-auth-cppm-b'
    -> captive portal 'https://guest-b.acme.com/guest/register.php? (URL resolves to cppm-b for example 192.168.2.1)

    Auth Server Priority Order
    1) CPPM-A = 192.168.1.1
    2) CPPM-B = 192.168.2.1

    2x CPPM Service

    If 'Connection' 'Dest-IP-Address' equals 192.168.1.1 return Aruba User Role ''pre-auth-cppm-a'
    or
    If 'Connection' 'Dest-IP-Address' equals 192.168.2.1 return Aruba User Role ''pre-auth-cppm-b'

    Cheers,
    Craig



    ------------------------------
    Craig Syme
    ------------------------------



  • 5.  RE: CPPM Guest Portal High Availability Question

    Posted Jan 06, 2021 06:53 PM
    Hello Craig

    I like your suggestion - this is how I typically handle the Cisco ISE portal issue (when there are only two ISE nodes). I know ISE a lot better than I do Clearpass but I think the principle is the same.
    Due to my lack of CPPM expertise (I know what I know ...) I still have some questions about the implementation of this approach. 
    The IAP WLAN configuration can only have one Captive Portal Profile - if I implement your suggestion, which Captive Portal Profile do I select in the IAP - or does it even matter, since I get the feeling that the CPPM RADIUS results will overwrite the WLAN settings anyway? Is that correct? is there any specific config in the IAP to tell it to allow this 'RADIUS over-ride' ?

    When creating the two new roles in the IAP and adding the Access Rule (Rule Type: Captive Portal), there is the ability to specify the Captive Portal URL - which one wins out in the end? I have a Captive Portal Profile on the WLAN, and now the role that CPPM assigns will simply over-ride that Captive Portal Profile?

    thanks for your help - the picture is hopefully getting clearer. CPPM is very powerful but requires some practice ... like most good things :)

    cheers

    ------------------------------
    Arne Bier
    ------------------------------



  • 6.  RE: CPPM Guest Portal High Availability Question

    Posted Jan 07, 2021 04:02 AM
    Hey Arne,

    You are correct, you can only specify a single Captive Portal as part of the wizard however this will be overwritten by the Aruba User Role (and Captive Portal) returned by CPPM. A return Aruba User Role has a higher priority then the default role.

    https://www.arubanetworks.com/techdocs/Instant_86_WebHelp/Content/instant-ug/roles-and-pol/role-assign-rule.htm

    As for the second question, in regards to have 2x User Roles and which one wins. It would depend on the Auth Server priority you define as part of the Network Wizard.  So, if you server list is 1) CPPM-A and 2) CPPM-B. If CPPM-A responds, User Role 'A' with Captive Portal 'A' will be returned. If CPPM-A is not available, the IAP will then try Server 2) which is CPPM-B and User Role 'B' with Captive Portal 'B' will be  returned.


    ------------------------------
    Craig Syme
    ------------------------------